[pve-devel] applied-series: [PATCH common/access-control v2 0/2] implement ldap/ad sync

[Thomas Lamprecht]

On 3/13/20 1:18 PM, Dominik Csapak wrote:
> this series implements basic ldap/ad user/group sync via api/cli
> a new api call for realms called 'sync' is implemented which
> calls the plugins 'get_{user,group}' sub which in turn uses
> the realms config to get the relevant users/groups
> and this is then written into the user config
> 
> things not yet implemented, but can be done later on
> * auto-sync
>    we probably want to be able to 'auto-sync' the users/groups,
>    so probably some kind of systemd timer which calls pveum?
>    we have to somehow make this configureable and of course
>    only call it from one node (however this can be done)

I'd go for something like:
* setup the job for all (or include in daily stuff)
* get cluster lock ('realm-sync' domain lock)
* check a file for the last successful sync, if it's more than x hours
  (e.g, 12 or 20 - can be a bit arbitrary but 1 < x < 24)
* if OK then exit
* else sync and update file

This could be done in a bit of a general way, for possible reuse.

> * preview mode
>    we could implement a 'preview' api call (or option) so that
>    it only return what would be done, so that we can show the
>    user a preview. this should not be that hard to implement

dry run mode would definitively be nice

> * gui
>    a 'sync' gui where the user can put in the sync relevant config
>    options and a button which actually syncs the users should
>    not be that hard

Adding the "default sync options" in the realm/auth edit dialog would
be good. Sync too, naturally :)

Also, as discussed offline, it may be worth into looking if we can
integrate coping with the posixGroup and it commonly used 'memberUid'
attribute, some samba and ldap managers seem to set that up by default.

But as discussed offlist: let's first wait how actual user can integrate
it as is in their environment, it worked OK for PMG for a while after all.

Thanks!